Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 12:26

General

  • Target

    Revil.exe

  • Size

    119KB

  • MD5

    fa8117afd2dbd20513522f2f8e991262

  • SHA1

    f7b876edb8fc0c83fd8b665d3c5a1050d4396302

  • SHA256

    78b592a2710d81fa91235b445f674ee804db39c8cc34f7e894b4e7b7f6eacaff

  • SHA512

    2bab344d136b31cd7c55b7cd0ef1b7718c9952573f3b1478a2efb8211563d7dedacefd4764a7186e15f7de93cc43fa29fc4d2fa61961a14bb12d7bea830e5032

  • SSDEEP

    3072:KW5yc3Y4SMQwuOekD96R928AN+/uSxo+HHz/bs/k4OS:K83Y5BAxa92KrxTnz/Y/k4O

Malware Config

Extracted

Family

sodinokibi

Botnet

$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6

Campaign

49

Attributes
  • net

    false

  • pid

    $2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6

  • prc

    vsnapvss

    EnterpriseClient

    firefox

    infopath

    cvd

    tv_x64.exe

    VeeamTransportSvc

    steam

    encsvc

    mydesktopservice

    outlook

    synctime

    ocssd

    SAP

    cvfwd

    bengien

    vxmon

    bedbh

    ocomm

    ocautoupds

    raw_agent_svc

    oracle

    disk+work

    powerpnt

    saposcol

    sqbcoreservice

    sapstartsrv

    beserver

    saphostexec

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find EDGEWATER-README.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!

  • sub

    49

  • svc

    QBCFMonitorService

    thebat

    dbeng50

    winword

    dbsnmp

    VeeamTransportSvc

    disk+work

    TeamViewer_Service.exe

    firefox

    QBIDPService

    steam

    onenote

    CVMountd

    cvd

    VeeamDeploymentSvc

    VeeamNFSSvc

    bedbh

    mydesktopqos

    avscc

    infopath

    cvfwd

    excel

    beserver

    powerpnt

    mspub

    synctime

    QBDBMgrN

    tv_w32.exe

    EnterpriseClient

    msaccess

Extracted

Path

C:\Recovery\EDGEWATER-README.txt

Ransom Note
---=== Welcome. Again. ===--- [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have emd4l3g7 extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion When you visit our website, put the following data into the input form: Key: g44kIYGhPx0B1w6FSJwIZaw6Q05Z93eg5DsXj5I+QrTL+YhA40K0k0ZQNec8Srgz G9kPsD1BfUtBXlXPgrmGdMil/s9135YKQ+afkZy7I9tKhatj01KH6FosP8aG195M 5FKDrIwYEUXb38imTWGbN3rRDNbqQ/SqdztNAg4btuDEBA7UcdOVJDJaNF24O5Gl P8dLe1TT2cSTZlTZamm6SC7Ix+5OSiJjoqngP2ybul+j4EUWxbVRZZcNs94toK+2 ET/KVh69a2IqfYPpXs0qGo7WUGgQ3qmIttVJX6nkXVPfHRBIlsiEOa0hJGZPh/50 D+dDCtALP+0/yje5gE1jacLBxX5tZONteNY/4olcNr6rDh0xSLYmk66DHc39Jt87 aOi6g1QwEOJBufv6jkVgIfyeBo3zRBJVoq4+2xsPPzIycKgdRCOsC8AyQhEYsy8z ujidlUoy2+VeqdGFuRzLMj43b5M1E00fF69vn51g3E3HPziKak5VyiL+yn9aKwkG FpO+X8leYDcl17WYU8Lrzl2tl9OvLJADm/iXmHwFBffE0n9U5FEljqjomXSXGQDI 6ZtRrccxZ6i4X3XW5THsDZ5NfAyS5LCiUZUx+eqr/ggWU6DNEym+ffPhatE88ah9 r4sWnq7zg8wxuyREMzsORMPISQPgyBmxURGMs1QCgWi0HRumybDt7RAK+xe+OFuN vlnoe8IqCi060ggIVx5wBe4SCODjk8FwbL/5k0rpzpz2kBvGMx6gJ9inzvtD/t49 hbuo0jt2gID89MqBqwCU8W3tiKUKZ4Jul2ec79HhKKsbVsgqJQA+2pxIc1azlhlm wGUefOIL0WBlkXOeEw1uVmRR2k0p4/Wy4HJLUDQF4t/F+CatBlqfwrccQP8J9Lb3 Q1qPx38j3oOx5uyHhUKAiJZICFE3uqOg1aTiK17FHRThGX3IFoEgoV+C2GFtaTro C7V2iImyHmOiS7Bt/fYOZZ1/L3vNz3UWwk6ln8sZv2MdQSjg4Pqw0dSHbBRwkiRi FQUWJ74BeZM7jFPXrlNLEB686Q8HfLBPWtX39O0Urp72TP4dceyVtOVXY6oObSj8 SmlRV/tZEkdy3OdsKrMWrDtP9oTNmXODWgU/G3udkzPb3hiKC8okINrxPgLexppJ 0kn+MjOSK0cXUQvACbjkAWbti/Ya3bZUvauCySiH2Tw9TDiLZUqUkk1T82csvfNL bxRJ8vgF1LvX1dMgebzfzV5aZXYgtmycSJnr/ShZLbt++dGpCKBkOBPqYej5BSem gZWxp/Oe5e9tX8Z7jRYPRloAPe8GSNmD0yoQc/zH !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!
URLs

http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revil.exe
    "C:\Users\Admin\AppData\Local\Temp\Revil.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:820
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4612
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3656
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1592
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\EDGEWATER-README.txt
      1⤵
        PID:928
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.0.805638234\1241528181" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c14800ac-6726-41f7-bcd1-b0887e76a93b} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1916 1e927b18f58 gpu
            3⤵
              PID:5036
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.1.868077025\1981275436" -parentBuildID 20221007134813 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {364ffcb7-1af0-411d-9701-22060a7ca56b} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2320 1e919b72258 socket
              3⤵
                PID:4604
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.2.702027262\807800161" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 3016 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b9345fe-ee2a-478a-ac1f-0a9192c454e1} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2852 1e926a93a58 tab
                3⤵
                  PID:4676
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.3.106384205\583095537" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3452 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691a5033-d98e-46a1-9dce-15c83788c12e} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1448 1e919b64d58 tab
                  3⤵
                    PID:1864
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.4.547139582\1724242994" -childID 3 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7982a46-a068-4078-8288-785cc7ffe84a} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4032 1e919b62b58 tab
                    3⤵
                      PID:2232
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.5.895855528\1841134398" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 2796 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28884098-b2ec-4bbd-91a7-0a5456b71169} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4820 1e92ce13058 tab
                      3⤵
                        PID:284
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.7.1484719223\1037916001" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40fa9b26-a625-4ab5-9aad-e3bd229d12d9} 952 "\\.\pipe\gecko-crash-server-pipe.952" 5204 1e92ce14858 tab
                        3⤵
                          PID:1560
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.6.1365605456\383882499" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d5797c-47f0-49a5-8d93-b3219ba55f30} 952 "\\.\pipe\gecko-crash-server-pipe.952" 5092 1e92ce11b58 tab
                          3⤵
                            PID:4800

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Recovery\EDGEWATER-README.txt

                        Filesize

                        5KB

                        MD5

                        0653bba8d16055266ce80549fedcd50b

                        SHA1

                        04d3bdbf195b183f5339228039012a71fbc2ed40

                        SHA256

                        55c9b611135f23c90321dc3a9dfedddd9fe80d076372e1926e0584bf50ca502f

                        SHA512

                        89c63b5fbbfd6aced0b7d349d9e45e85fb14493d1ed3b3195e6abc0cf2bfd5ad926088b757b51f1191938677b1795ff85ca6a5d8fa6c6d7f039ddb74008944ef

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfwqgh4n.eia.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

                        Filesize

                        6KB

                        MD5

                        6ac81b523ba498a27b4e0ff11b481dfb

                        SHA1

                        bc9609f16f45c7306543cc1bd9ec1090681f8ade

                        SHA256

                        7a5f22cc2d2b1db9e27d23d45fcd6fddee6bc204138bcd4f898f4e1b29d00fb9

                        SHA512

                        3003ff812b3bce32942949c484f9ef33326e677938b2127d66e0729750b397a17408c2816f6caebecba916eda5a21d82d6def22e656c0b7f3dcde662763403dc

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js

                        Filesize

                        6KB

                        MD5

                        108b97b1ff7efbdb1aecce96d55ff2e5

                        SHA1

                        bb72b2e0c3d859fe5e821632307a32df331b55e1

                        SHA256

                        c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

                        SHA512

                        e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        1KB

                        MD5

                        7f2b8f49b607474270b2232171284aa4

                        SHA1

                        69ede61485dd20dad59f21abf1b85b6591ea99bc

                        SHA256

                        8fb8efb01e49a89b3fc95a0d8c92eba55a6f5e68da7e9da89effe5d7c7e228a4

                        SHA512

                        11b01c9fa33706caae15b87874d97b39282eb304ee698d6af72207ee0c11abfcbdfa6c5bd85740ffe6b9545d3d0539afa7f9b8da6c2e03e5bacc50d2ed3db829

                      • C:\Users\Public\Desktop\EDGEWATER-README.txt

                        Filesize

                        5KB

                        MD5

                        0653bba8d16055266ce80549fedcd50b

                        SHA1

                        04d3bdbf195b183f5339228039012a71fbc2ed40

                        SHA256

                        55c9b611135f23c90321dc3a9dfedddd9fe80d076372e1926e0584bf50ca502f

                        SHA512

                        89c63b5fbbfd6aced0b7d349d9e45e85fb14493d1ed3b3195e6abc0cf2bfd5ad926088b757b51f1191938677b1795ff85ca6a5d8fa6c6d7f039ddb74008944ef

                      • memory/820-145-0x00000191A5530000-0x00000191A5540000-memory.dmp

                        Filesize

                        64KB

                      • memory/820-147-0x00000191A5530000-0x00000191A5540000-memory.dmp

                        Filesize

                        64KB

                      • memory/820-146-0x00000191A5530000-0x00000191A5540000-memory.dmp

                        Filesize

                        64KB

                      • memory/820-135-0x00000191A54E0000-0x00000191A5502000-memory.dmp

                        Filesize

                        136KB

                      • memory/2160-150-0x0000000000F60000-0x0000000000F80000-memory.dmp

                        Filesize

                        128KB

                      • memory/2160-239-0x0000000000F60000-0x0000000000F80000-memory.dmp

                        Filesize

                        128KB

                      • memory/2160-544-0x0000000000F60000-0x0000000000F80000-memory.dmp

                        Filesize

                        128KB

                      • memory/2160-553-0x0000000000F60000-0x0000000000F80000-memory.dmp

                        Filesize

                        128KB

                      • memory/2160-133-0x0000000000F60000-0x0000000000F80000-memory.dmp

                        Filesize

                        128KB

                      • memory/2160-134-0x0000000000F60000-0x0000000000F80000-memory.dmp

                        Filesize

                        128KB